ISR to ISR – IPSec VPN Configuration

ciscoipsec

Trying to form IPsec between two ISR-4000s.
There is Nexus in between to form eigrp in between.
There is eigrp even spinning inside ISR's inside interface.
(leaving it on for lab purposes for now).

[bridge eigrp]

bridge# sho ip eig nei
IP-EIGRP neighbors for process 2018 VRF default
H   Address                 Interface       Hold  Uptime  SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   10.3.200.1              Vlan863         14   00:44:02  1    50    0   4
1   172.32.255.10           Eth1/15         13   00:43:43  1    50    0   3
bridge#

[ISR-1 config]

ISR-1#show run
Building configuration...


Current configuration : 2834 bytes
!
! Last configuration change at 04:14:50 UTC Wed Nov 22 2017 by admin
! NVRAM config last updated at 04:15:51 UTC Wed Nov 22 2017 by admin
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname ISR-1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 $1$I/z2$tD3NYEA8w.aZi56aLp8rN0
enable password 7 111B1C1D
!
no aaa new-model
!
!
!

ip domain name lab
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4451-X/K9 sn FOC21066XYV
!
spanning-tree extend system-id
!
redundancy
 mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
! 
!
!
!
!
!
crypto isakmp policy 5
 encr aes 256
 hash sha512
 authentication pre-share
 group 2
crypto isakmp key cisco@123 address 172.32.255.10  
!
!         
crypto ipsec transform-set MY-SET esp-aes 256 esp-sha512-hmac 
 mode tunnel
!
!
!
crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp 
 set peer 172.32.255.10
 set transform-set MY-SET 
 match address VPN-TRAFFIC
!
!
interface Loopback1
 ip address 10.155.155.1 255.255.255.0
!
interface GigabitEthernet0/0/0
 ip address 192.168.200.1 255.255.255.252
 negotiation auto
!
interface GigabitEthernet0/0/1
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/2
 no ip address
 negotiation auto
!
interface GigabitEthernet0/0/3
 ip address 10.3.200.1 255.255.255.252
 negotiation auto
 crypto map IPSEC-SITE-TO-SITE-VPN
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address 10.7.0.121 255.255.255.0
 negotiation auto
!
interface Vlan1
 no ip address
 shutdown
!
!
router eigrp 2018
 network 10.3.200.0 0.0.0.3
 network 192.168.200.0 0.0.0.3
!
ip nat inside source list 101 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.7.0.1
ip ssh version 2
!
!
ip access-list extended VPN-TRAFFIC
 permit ip 10.155.155.0 0.0.0.255 10.255.255.0 0.0.0.255
!
access-list 101 deny   ip 10.155.155.0 0.0.0.255 10.255.255.0 0.0.0.255
access-list 101 permit ip 10.155.155.0 0.0.0.255 any
!
snmp-server community public RO
snmp-server community private RW
!
!
control-plane
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 password 7 011F0706
 login local
 transport input ssh
!

!
!
pnp profile PNP-PROFILE
 transport http ipv4 172.27.255.84 port 80
end

ISR-1#

[ISR-2 config]

ISR-2#show run
Building configuration...


Current configuration : 8528 bytes
!
! Last configuration change at 04:15:45 UTC Wed Nov 22 2017 by admin
! NVRAM config last updated at 04:15:46 UTC Wed Nov 22 2017 by admin
!
version 16.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname ISR-2
!
boot-start-marker
boot system flash bootflash:isr4400-universalk9.16.05.01b.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 $1$qneF$lAwARcwDQIaS/8/7/r/bm1
enable password 7 071D2454
!
no aaa new-model
!
!
!
!
subscriber templating
! 
multilink bundle-name authenticated
!
!
!
!
crypto pki trustpoint 123
 enrollment mode ra
 enrollment terminal
 usage ssl-client
 revocation-check crl
!
crypto pki trustpoint 172.25.21.23
 enrollment mode ra
 enrollment terminal
 usage ssl-client
 revocation-check crl
!
!
crypto pki certificate chain 123
 certificate ca 2115431077443866774917843264197906069A
  308203C4 308202AC A0030201 02021321 15431077 44386677 49178432 64197906 

        quit
crypto pki certificate chain 172.25.21.23
 certificate ca 008AE70D8BD3D5DA91
  308203E0 308201C8 A0030201 02020900 8AE70D8B D3D5DA91 300D0609 2A864886 
  F70D0101 0B050030 12311030 0E060355 04030C07 6B756265 2D636130 1E170D31 

!
license udi pid ISR4451-X/K9 sn FOC21066Y40
license accept end user agreement
license boot level securityk9
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
redundancy
 mode none
!
!
!
!
crypto isakmp policy 5
 encr aes 256
 hash sha512
 authentication pre-share
 group 2
crypto isakmp key cisco@123 address 10.3.200.1     
!
!
crypto ipsec transform-set MY-SET esp-aes 256 esp-sha512-hmac 
 mode tunnel
!
!
!
crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp 
 set peer 10.30.200.1
 set transform-set MY-SET 
 match address VPN-TRAFFIC
!
interface Loopback1
 ip address 10.255.255.1 255.255.255.0
!
interface GigabitEthernet0/0/0
 description ansibly 0000
 ip address 172.32.255.10 255.255.255.0
 negotiation auto
 crypto map IPSEC-SITE-TO-SITE-VPN
!         
interface GigabitEthernet0/0/1
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/2
 description ansibly 2222
 no ip address
 negotiation auto
!
interface GigabitEthernet0/0/3
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address 172.23.162.103 255.255.255.0
 negotiation auto
!
!
router eigrp 2018
 network 10.0.1.0 0.0.0.255
 network 10.255.255.0 0.0.0.255
 network 172.32.255.0 0.0.0.255
 network 192.168.255.0 0.0.0.7
!

threat-visibility
ip nat inside source list 101 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip http client source-interface GigabitEthernet0
ip tftp source-interface GigabitEthernet0
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 172.23.162.1
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.7.0.1 20
!
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list extended VPN-TRAFFIC
 permit ip 10.255.255.0 0.0.0.255 10.155.155.0 0.0.0.255
!
logging host 172.20.57.222
access-list 101 deny   ip 10.255.255.0 0.0.0.255 10.155.155.0 0.0.0.255
access-list 101 permit ip 10.255.255.0 0.0.0.255 any
!
!
snmp-server community public RO
snmp-server community private RW
!
!
control-plane
!
!
line con 0
 transport input none
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 password 7 11051807
 login local
 transport input ssh
!

!
end

ISR-2#

[ping]

ISR-1#ping 172.32.255.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.32.255.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ISR-1#

[show logging]

ISR-1#show cryp ses 
Crypto session current status

Interface: GigabitEthernet0/0/0
Session status: DOWN
Peer: 172.32.255.10 port 500 
  IPSEC FLOW: permit ip 10.3.200.0/255.255.255.0 10.2.200.0/255.255.255.0 
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 10.3.200.0/255.255.255.0 192.168.255.0/255.255.255.247 
        Active SAs: 0, origin: crypto map

Interface: GigabitEthernet0/0/3
Session status: DOWN
Peer: 172.32.255.10 port 500 
  IPSEC FLOW: permit ip 10.3.200.0/255.255.255.0 10.2.200.0/255.255.255.0 
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 10.3.200.0/255.255.255.0 192.168.255.0/255.255.255.247 
        Active SAs: 0, origin: crypto map

ISR-1#

[show sessions]

ISR-1#show cryp isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA

ISR-1#

[To generate traffic]
ping still failed after:
https://supportforums.cisco.com/t5/vpn/how-to-generate-interesting-traffic-on-the-asa/td-p/2688067 &&
route removed after referring to https://www.tunnelsup.com/site-to-site-vpn-tunnel-between-asa-and-cisco-router/

ISR-1(config)#ip nat inside source list 101 interface GigabitEthernet0/0/3 overload

#ping 10.155.155.1 source loop 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.155.155.1, timeout is 2 seconds:
Packet sent with a source address of 10.255.255.1 
.....
Success rate is 0 percent (0/5)

[Thanks to the answer]

#show cry sess
Crypto session current status

Interface: GigabitEthernet0/0/3
Session status: UP-IDLE
Peer: 172.32.255.10 port 500 
  Session ID: 0  
  IKEv1 SA: local 10.3.200.1/500 remote 172.32.255.10/500 Active 
  IPSEC FLOW: permit ip 10.155.155.0/255.255.255.0 10.255.255.0/255.255.255.0 
        Active SAs: 0, origin: crypto map

Best Answer

Your crypto maps go on the "outside" interfaces -- the ones connected to the bridge router. The peering relationship is formed between those interfaces. You have it on both interfaces on ISR-1.

Also, you need to generate matching traffic. ISR 2 has no interfaces that would match the ACL for the VPN.

One more thing, On ISR 2, the ACL for NAT (101) doesn't look right. Are you sure that's the way you want it?

Related Topic